SSL support: current state and issues

Andreas Hartmetz ahartmetz at gmail.com
Sat Dec 8 07:45:05 GMT 2007


Hi all,

I've been working on a replacement for KSSL for a couple of weeks now and it 
looks like people are actually waiting for it and need it.
The place where the most important things happen in KSSL is TCPSlaveBase. 
TCPSlaveBase is the base of all network ioslaves and KSSL is more or less 
just woven into it. Probably more than half of the TCPSlaveBase code in trunk 
is just SSL. There are some helper classes (15?) with no discernible (to me) 
structure around that core of which some are user interface classes.

The approach for a replacement is to have a KTcpSocket which uses QSslSocket 
as a backend for now but which is different enough from QSslSocket to allow 
different backends - I'm thinking of QCA::TLS and that is in fact what I 
always check when deciding on some API details.

Right now I have a TCPSlaveBase that works for non-SSL and SSL sites but only 
if there are no SSL errors. There are several catches with SSL errors:
-QSslSocket has more different types of errors than QCA::TLS and QSslSocket
 always tells you which certificate is involved in that error. The certificate 
 to an error does not seem to be easy to find in all cases with QCA::TLS.
 [Scratch that, actually QSslError does never contain a nonempty 
 certificate(). Interesting.]
-There are errors of which I have no idea what they mean. The only 
 documentation that really helps there is OpenSSL's which is crap and 
 incomplete (parts not dealing with errors seem to be better) so I'll have to
 read its code. Gah.
 An example is QSslError::QSslError::CertificateSignatureFailed aka 
 X509_V_ERR_CERT_SIGNATURE_FAILURE in OpenSSL.
 [It turns out that playing around with funny servers is the best way to find 
 out what the errors really mean. Also, some simple errors give a list of 
 several different errors...]

I started the above paragraph, didn't know what exactly to write and went back 
to the code. That is why I'm answering my own questions.

Lowest on the todo list are client certificate support (because it's rather 
exotic) and (way down) session reuse if that is even possible. It is/was 
apparently supposed to work in KDE3 but (suprise!) according to the gnutls 
test server it really doesn't work.

Next is putting together the error handling with user interaction. I have some 
nice classes that will handle rules in a much more straightforward way than 
before. Look up "creeping elegance" :)
You can find my work branch at branches/work/newssl. The interesting things 
are mostly in kdelibs/kdecore/network/ and kdelibs/kio/kssl/ and 
kdelibs/kio/kio/.

Sorry if that was somewhat incoherent, it's hopefully good enough to give you 
a rough idea anyway :) - Ask for more info if you want.

Cheers,
Andreas




More information about the kde-core-devel mailing list